MISC-43: Set up to sign Github commits

Issue Information

Issue Type: Task
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Miscellaneous (MISC)
Resolution: Done (2020-11-05 16:50:27)
Labels: Commits, Git, GnuPG, PGP, Signing,

Created: 2020-11-05 15:52:43
Time Spent Working

I should really have set up to sign commits on Github (and other places) ages ago, but have never quite gotten around to it.

Now seems as good a time as any to catch up

Toggle State Changes


For this I'm going to generate a new key to use for signing, and then sign that with my main key (i.e. the one that has a public key published here - https://www.bentasker.co.uk/about-me )
I already have GNUPG installed, so it's just a case of creating and signing a key

ben@milleniumfalcon:~$ gpg --gen-key

gpg: key 4C1EBA9B marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2024-08-27
pub   4096R/4C1EBA9B 2020-11-05
      Key fingerprint = EFDA 29FF 1E38 9DA3 55A1  2A16 8DC6 5217 4C1E BA9B
uid                  B Tasker (Code Signing Key) <github@<Domain Hidden>>
sub   4096R/9DBA26B6 2020-11-05

For further commands, want to capture the key ID
ben@milleniumfalcon:~$ MY_KEY=$(gpg --list-secret-keys --keyid-format LONG | grep ^sec | tail -1 | cut -f 2 -d "/" | cut -f 1 -d " ")

So, we want to sign the key with my main key

ben@milleniumfalcon:~$ gpg --sign-key $MY_KEY

Send the signed key to keyservers so they can be verified outside of Github if needed
ben@milleniumfalcon:~$ gpg --keyserver pgp.mit.edu --send-keys $MY_KEY
gpg: sending key 4C1EBA9B to hkp server pgp.mit.edu
ben@milleniumfalcon:~$ gpg --keyserver keyserver.ubuntu.com --send-keys $MY_KEY
gpg: sending key 4C1EBA9B to hkp server keyserver.ubuntu.com

Now export it
ben@milleniumfalcon:~$ gpg --armor --export "${MY_KEY}" > signing_keys.txt

Added to Github here - https://github.com/settings/keys

Time to configure git and then do a test commit
ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global commit.gpgsign true
ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global tag.gpgsign true
ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global user.signingkey "${MY_KEY}"

Commit shows as verified - https://github.com/bentasker/dns.bentasker.co.uk/commit/d12f725aa589ea16d1551cf8d4507cddbe307c22
btasker changed Project from 'Home LAN' to 'Miscellaneous'
btasker changed Key from 'LAN-177' to 'MISC-43'
One change I have made - although I originally had GnuPG installed, it pushed a GUI prompt every time my key needed unlocking - quite jarring.

So I've switched to it using a CLI based prompt
sudo apt-get install pinentry-tty
sudo update-alternatives --config pinentry
Key also uploaded to Gitlab - https://gitlab.com/-/profile/gpg_keys

Gitlab seem to have additional steps required, otherwise the GPG key shows up as "Unverified" - need to have added the email address to the account (here: https://gitlab.com/-/profile/emails)

Created a repo to act as a backup and pushed my DNS repo there, commit shows as verified - https://gitlab.com/bentasker/dns.bentasker.co.uk/-/commit/d12f725aa589ea16d1551cf8d4507cddbe307c22
btasker added 'Commits Git GnuPG PGP Signing' to labels
btasker changed status from 'Open' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'
I've created a repo to house copies of my keys so that the paranoid can validate for themselves, there's a copy in both Github and Gitlab

- https://github.com/bentasker/pgp_public_keys
- https://gitlab.com/bentasker/pgp_public_keys

Which means they're ultimately also mirrored at https://publicrepos.bentasker.co.uk/projects/pgp_public_keys.git/trees

Relevant Key IDs are

- 4C1EBA9B
- 6E08CD6F

With the following fingerprints
pub   4096R/6E08CD6F 2014-08-30 B Tasker (Main Key) <ben@<Domain Hidden>>
 Primary key fingerprint: C01D 970B 3A24 1689 2C1E  D42F B7EF 7548 6E08 CD6F

pub   4096R/4C1EBA9B 2020-11-05 B Tasker (Code Signing Key) <github@<Domain Hidden>>
 Primary key fingerprint: EFDA 29FF 1E38 9DA3 55A1  2A16 8DC6 5217 4C1E BA9B